User Management
The Administration > Users page displays all users who have authenticated with Symphony, their group memberships, and their resolved roles.
Viewing Users
Navigate to Administration > Users to see a list of all known users. Each entry shows:
| Column | Description |
|---|---|
| Subject | The OIDC subject identifier (user ID or email) |
| Groups | Group memberships from the identity provider's token |
| Roles | Resolved roles based on group-to-role assignments |
| Permissions | Effective publish and subscribe permissions (union of all roles) |
Understanding Resolved Roles
A user's roles are determined by the RBAC system:
- Symphony reads the
groupsclaim from the user's OIDC token. - Each group is matched against role assignments configured in Administration > Assignments.
- The user receives the union of all roles from all matched groups.
- If no groups match any assignment, the
default_role(typicallyviewer) is applied.
Users in the configured admin_group (or matching admin_subject) automatically receive the symphony-admin role.
Bootstrap Mode
When neither admin_group nor admin_subject is configured in symphony.config, Symphony operates in bootstrap mode:
- All authenticated users have full administrator access
- The Administration menu is visible to everyone
- A warning banner is displayed in the UI (unless
"bootstrap": trueis set in therbacconfiguration)
This allows initial setup before an administrator has been designated. To exit bootstrap mode, configure RBAC as described in the RBAC guide.
In bootstrap mode, any authenticated user can modify roles, assignments, licenses, and other administrative settings. Configure RBAC as soon as your identity provider groups are ready.
See Also
- Role-Based Access Control—Configure groups, roles, and assignments
- Security—Authentication and security model